Program logic bugs vs input/environmental errors

[via Digitalmars-d]

On Friday, 3 October 2014 at 15:43:59 UTC, Sean Kelly wrote:
> My point, and I think Kagamin's as well, is that the entire 
> plane is a system and the redundant internals are subsystems.  
> They may not share memory, but they are wired to the same 
> sensors, servos, displays, etc.  Thus the point about shutting 
> down the entire plane as a result of a small failure is fair.

An airplane is a bad analogy for a regular server. You have 
redundant backups everywhere and you are not allowed to take off 
at the smallest sign of deviation from normal operation. You will 
never see D in a fighter jet (and you can probably not fly it 
without the controller in operation either, your only choice is 
to send the plane into the ocean and escape in a parachute).

I think Walter forgets that you ensure integrity of a complex 
system of servers by utilizing a rock solid proven transaction 
database/task-scheduler for handling all critical information. If 
that fails, you probably should shut down everything, roll back 
to the last backup and reboot.

But you don't shut down a restaurant because the waiter forgets 
to write down an order every once in a while, you shut it down if 
the kitchen is unsuitable for preparing food. After sanitizing 
the kitchen you open the restaurant again. You also don't fire 
the sloppy waiter until you have a better waiter at hand…